From owner-svn-src-all@freebsd.org Tue Sep 3 14:07:44 2019 Return-Path: Delivered-To: svn-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D29BDDD18D; Tue, 3 Sep 2019 14:06:55 +0000 (UTC) (envelope-from yuripv@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46N7zz3GBGz4Q2n; Tue, 3 Sep 2019 14:06:55 +0000 (UTC) (envelope-from yuripv@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1452) id 6EB8D1AD70; Tue, 3 Sep 2019 14:06:21 +0000 (UTC) X-Original-To: yuripv@localmail.freebsd.org Delivered-To: yuripv@localmail.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (Client CN "mx1.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by freefall.freebsd.org (Postfix) with ESMTPS id ED18BB137; Mon, 15 Apr 2019 17:14:55 +0000 (UTC) (envelope-from owner-src-committers@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3B71C8A541; Mon, 15 Apr 2019 17:14:55 +0000 (UTC) (envelope-from owner-src-committers@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 538) id 13530B0EB; Mon, 15 Apr 2019 17:14:55 +0000 (UTC) Delivered-To: src-committers@localmail.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (Client CN "mx1.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by freefall.freebsd.org (Postfix) with ESMTPS id 13481B0E9 for ; Mon, 15 Apr 2019 17:14:52 +0000 (UTC) (envelope-from gallatin@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B14558A53A; Mon, 15 Apr 2019 17:14:51 +0000 (UTC) (envelope-from gallatin@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 8E58EB0F7; Mon, 15 Apr 2019 17:14:51 +0000 (UTC) (envelope-from gallatin@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x3FHEp1K065060; Mon, 15 Apr 2019 17:14:51 GMT (envelope-from gallatin@FreeBSD.org) Received: (from gallatin@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x3FHEpDM065058; Mon, 15 Apr 2019 17:14:51 GMT (envelope-from gallatin@FreeBSD.org) Message-Id: <201904151714.x3FHEpDM065058@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gallatin set sender to gallatin@FreeBSD.org using -f From: Andrew Gallatin To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r346247 - head/sys/dev/mlx5/mlx5_en X-SVN-Group: head X-SVN-Commit-Author: gallatin X-SVN-Commit-Paths: head/sys/dev/mlx5/mlx5_en X-SVN-Commit-Revision: 346247 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk X-Loop: FreeBSD.org Sender: owner-src-committers@freebsd.org X-Rspamd-Queue-Id: 3B71C8A541 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.96 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.97)[-0.966,0]; ASN(0.00)[asn:11403, ipnet:96.47.64.0/20, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] Status: O X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Tue, 03 Sep 2019 14:07:44 -0000 X-Original-Date: Mon, 15 Apr 2019 17:14:51 +0000 (UTC) X-List-Received-Date: Tue, 03 Sep 2019 14:07:44 -0000 Author: gallatin Date: Mon Apr 15 17:14:50 2019 New Revision: 346247 URL: https://svnweb.freebsd.org/changeset/base/346247 Log: mlx5en: Enable new pfil(9) KPI ethernet filtering hooks This allows efficient filtering at packet ingress on mlx5en. Note that the packets are filtered (and potentially dropped) *before* the driver has committed to (re)allocating an mbuf for the packet. Dropped packets are treated essentially the same as an error. Nothing is allocated, and the existing buffer is recycled. This allows us to drop malicious packets at close to line rate with very little CPU use. Reviewed by: hselasky, slavash, kib Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D19063 Modified: head/sys/dev/mlx5/mlx5_en/en.h head/sys/dev/mlx5/mlx5_en/mlx5_en_main.c head/sys/dev/mlx5/mlx5_en/mlx5_en_rx.c Modified: head/sys/dev/mlx5/mlx5_en/en.h ============================================================================== --- head/sys/dev/mlx5/mlx5_en/en.h Mon Apr 15 16:57:27 2019 (r346246) +++ head/sys/dev/mlx5/mlx5_en/en.h Mon Apr 15 17:14:50 2019 (r346247) @@ -48,6 +48,7 @@ #include #include #include +#include #include #include @@ -838,6 +839,7 @@ struct mlx5e_priv { struct mlx5e_clbr_point clbr_points[2]; u_int clbr_gen; + struct pfil_head *pfil; struct mlx5e_channel channel[]; }; Modified: head/sys/dev/mlx5/mlx5_en/mlx5_en_main.c ============================================================================== --- head/sys/dev/mlx5/mlx5_en/mlx5_en_main.c Mon Apr 15 16:57:27 2019 (r346246) +++ head/sys/dev/mlx5/mlx5_en/mlx5_en_main.c Mon Apr 15 17:14:50 2019 (r346247) @@ -3664,6 +3664,7 @@ mlx5e_create_ifp(struct mlx5_core_dev *mdev) struct sysctl_oid_list *child; int ncv = mdev->priv.eq_table.num_comp_vectors; char unit[16]; + struct pfil_head_args pa; int err; int i; u32 eth_proto_cap; @@ -3898,6 +3899,12 @@ mlx5e_create_ifp(struct mlx5_core_dev *mdev) callout_init(&priv->tstmp_clbr, CALLOUT_DIRECT); mlx5e_reset_calibration_callout(priv); + pa.pa_version = PFIL_VERSION; + pa.pa_flags = PFIL_IN; + pa.pa_type = PFIL_TYPE_ETHERNET; + pa.pa_headname = ifp->if_xname; + priv->pfil = pfil_head_register(&pa); + return (priv); #ifdef RATELIMIT @@ -3972,6 +3979,12 @@ mlx5e_destroy_ifp(struct mlx5_core_dev *mdev, void *vp if_printf(priv->ifp, "Waiting for all unlimited connections " "to terminate\n"); pause("W", hz); + } + + /* deregister pfil */ + if (priv->pfil != NULL) { + pfil_head_unregister(priv->pfil); + priv->pfil = NULL; } /* unregister device */ Modified: head/sys/dev/mlx5/mlx5_en/mlx5_en_rx.c ============================================================================== --- head/sys/dev/mlx5/mlx5_en/mlx5_en_rx.c Mon Apr 15 16:57:27 2019 (r346246) +++ head/sys/dev/mlx5/mlx5_en/mlx5_en_rx.c Mon Apr 15 17:14:50 2019 (r346247) @@ -430,15 +430,18 @@ mlx5e_decompress_cqes(struct mlx5e_cq *cq) static int mlx5e_poll_rx_cq(struct mlx5e_rq *rq, int budget) { - int i; + struct pfil_head *pfil; + int i, rv; + CURVNET_SET_QUIET(rq->ifp->if_vnet); + pfil = rq->channel->priv->pfil; for (i = 0; i < budget; i++) { struct mlx5e_rx_wqe *wqe; struct mlx5_cqe64 *cqe; struct mbuf *mb; __be16 wqe_counter_be; u16 wqe_counter; - u32 byte_cnt; + u32 byte_cnt, seglen; cqe = mlx5e_get_cqe(&rq->cq); if (!cqe) @@ -462,6 +465,39 @@ mlx5e_poll_rx_cq(struct mlx5e_rq *rq, int budget) rq->stats.wqe_err++; goto wq_ll_pop; } + if (pfil != NULL && PFIL_HOOKED_IN(pfil)) { + seglen = MIN(byte_cnt, MLX5E_MAX_RX_BYTES); + rv = pfil_run_hooks(rq->channel->priv->pfil, + rq->mbuf[wqe_counter].data, rq->ifp, + seglen | PFIL_MEMPTR | PFIL_IN, NULL); + + switch (rv) { + case PFIL_DROPPED: + case PFIL_CONSUMED: + /* + * Filter dropped or consumed it. In + * either case, we can just recycle + * buffer; there is no more work to do. + */ + rq->stats.packets++; + goto wq_ll_pop; + case PFIL_REALLOCED: + /* + * Filter copied it; recycle buffer + * and receive the new mbuf allocated + * by the Filter + */ + mb = pfil_mem2mbuf(rq->mbuf[wqe_counter].data); + goto rx_common; + default: + /* + * The Filter said it was OK, so + * receive like normal. + */ + KASSERT(rv == PFIL_PASS, + ("Filter returned %d!\n", rv)); + } + } if ((MHLEN - MLX5E_NET_IP_ALIGN) >= byte_cnt && (mb = m_gethdr(M_NOWAIT, MT_DATA)) != NULL) { #if (MLX5E_MAX_RX_SEGS != 1) @@ -480,7 +516,7 @@ mlx5e_poll_rx_cq(struct mlx5e_rq *rq, int budget) bus_dmamap_unload(rq->dma_tag, rq->mbuf[wqe_counter].dma_map); } - +rx_common: mlx5e_build_rx_mbuf(cqe, rq, mb, byte_cnt); rq->stats.bytes += byte_cnt; rq->stats.packets++; @@ -499,6 +535,7 @@ wq_ll_pop: mlx5_wq_ll_pop(&rq->wq, wqe_counter_be, &wqe->next.next_wqe_index); } + CURVNET_RESTORE(); mlx5_cqwq_update_db_record(&rq->cq.wq);